Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-287 (认证机制不恰当) — Vulnerability Class 1199

1199 vulnerabilities classified as CWE-287 (认证机制不恰当). AI Chinese analysis included.

CWE-287 represents a critical authentication weakness where a system fails to adequately verify the identity of an actor claiming a specific identity. This flaw typically allows attackers to bypass security controls by exploiting insufficient verification mechanisms, enabling unauthorized access through stolen credentials, brute-force attacks, or session hijacking. When authentication logic is flawed, malicious entities can impersonate legitimate users, leading to severe data breaches and privilege escalation. Developers mitigate this risk by implementing robust, multi-factor authentication protocols and ensuring that identity verification processes are rigorous and resistant to common attack vectors. By strictly validating credentials against secure, hashed databases and employing adaptive security measures, organizations can significantly reduce the likelihood of unauthorized access, thereby protecting sensitive information and maintaining system integrity against sophisticated cyber threats.

MITRE CWE Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Common Consequences (1)
Integrity, Confidentiality, Availability, Access ControlRead Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands
This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
Mitigations (1)
Architecture and DesignUse an authentication framework or library such as the OWASP ESAPI Authentication feature.
Examples (2)
The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to "remember" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the "Administrator" username, as recorded in the user cookie.
my $q = new CGI; if ($q->cookie('loggedin') ne "true") { if (! AuthenticateUser($q->param('username'), $q->param('password'))) { ExitError("Error: you need to log in first"); } else { # Set loggedin and user cookies. $q->cookie( -name => 'loggedin', -value => 'true' ); $q->cookie( -name => 'user', -value => $q->param('username') ); } } if ($q->cookie('user') eq "Administrator") { DoAdministratorTasks(); }
Bad · Perl
GET /cgi-bin/vulnerable.cgi HTTP/1.1 Cookie: user=Administrator Cookie: loggedin=true [body of request]
Attack
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
CVE IDTitleCVSSSeverityPublished
CVE-2026-27197 Sentry: Improper Authentication on SAML SSO process allows user identity linking — sentry 9.1 Critical2026-02-21
CVE-2026-27134 Strimzi: All CAs from a custom CA chain consisting of multiple CAs are trusted for mTLS user autentication — strimzi-kafka-operator 8.1 High2026-02-20
CVE-2025-41023 Authentication bypass in AutoGPT de Thesamur — AutoGPT 9.8AICriticalAI2026-02-19
CVE-2025-15586 OGP-Website 安全漏洞 — OGP-Website 9.8AICriticalAI2026-02-19
CVE-2025-15581 Orthanc 安全漏洞 — orthanc 9.8AICriticalAI2026-02-18
CVE-2026-26119 Windows Admin Center Elevation of Privilege Vulnerability — Windows Admin Center 8.8 High2026-02-17
CVE-2026-25922 authentik has a Signature Verification Bypass via SAML Assertion Wrapping — authentik 8.8 High2026-02-12
CVE-2026-25748 authentik has a forward authentication bypass with broken cookie — authentik 8.6 High2026-02-12
CVE-2025-68663 Outline has a suspended user authentication bypass via WebSocket connections — outline 4.3AIMediumAI2026-02-11
CVE-2026-21508 Windows Storage Elevation of Privilege Vulnerability — Windows 10 Version 1607 7.0 High2026-02-10
CVE-2026-23906 Apache Druid: Authentication Bypass via LDAP Anonymous Bind — Apache Druid 9.8AICriticalAI2026-02-10
CVE-2025-10463 Improper Authentication in Birtech Information Technologies' Sensaway — Senseway 7.3 High2026-02-09
CVE-2026-2174 code-projects Contact Management System CRUD Endpoint improper authentication — Contact Management System 7.3 High2026-02-08
CVE-2026-25804 Antrea has invalid enforcement order for network policy rules caused by integer overflow — antrea 4.3AIMediumAI2026-02-06
CVE-2025-64175 Gogs Vulnerable to 2FA Bypass via Recovery Code — gogs 8.2AIHighAI2026-02-06
CVE-2026-1740 EFM ipTIME A8004T Hidden Hiddenloginsetup timepro.cgi httpcon_check_session_url improper authentication — ipTIME A8004T 7.3 High2026-02-02
CVE-2025-62349 Salt Master authentication protocol downgrade may enable minion impersonation — Salt 6.2 Medium2026-01-30
CVE-2026-22764 Dell OpenManage Network Integration 授权问题漏洞 — OpenManage Network Integration 4.3 Medium2026-01-29
CVE-2025-12810 Failure in Password Rotation and Check-in Mechanism in Secret Server Allows Reuse of Credentials — Secret Server On-Prem 9.1AICriticalAI2026-01-27
CVE-2026-24003 EvseV2G has sequence state validation bypass — everest-core 4.3 Medium2026-01-26
CVE-2026-0633 MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor <= 4.1.0 - Unauthenticated Form Submission Exposure via Forgeable Cookie Value — MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor 3.7 Low2026-01-24
CVE-2026-24038 Horilla HR has 2FA Bypass through its OTP Handling Logic — horilla 8.1 High2026-01-22
CVE-2026-1203 CRMEB JSON Token LoginServices.php remoteRegister improper authentication — CRMEB 5.6 Medium2026-01-20
CVE-2026-1202 CRMEB LoginController.php appleLogin improper authentication — CRMEB 7.3 High2026-01-20
CVE-2026-0629 Authentication Bypass in Password Recovery Feature via Local Web App on Multiple VIGI Cameras — VIGI InSight Sx45 Series (S245/S345/S445) 8.8 -2026-01-16
CVE-2026-22236 Improper Authentication Vulnerability in BLUVOYIX — BLUVOYIX 9.1AICriticalAI2026-01-14
CVE-2025-67859 Polkit Authorization Check can be Bypassed in the TLP power daemon — TLP 5.5AIMediumAI2026-01-14
CVE-2025-68931 Jervis has AES CBC Mode Without Authentication — jervis 9.1AICriticalAI2026-01-13
CVE-2026-0408 Path traversal vulnerability in Netgear WiFi Range Extenders — EX5000 5.7AIMediumAI2026-01-13
CVE-2026-0407 Authentication bypass in NETGEAR WiFi Range Extenders via network adjacent attacks — EX5000 8.8AIHighAI2026-01-13

Vulnerabilities classified as CWE-287 (认证机制不恰当) represent 1199 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.